jump to navigation

PBR next-hop fail, caused by IP CEF and access-list’s logging April 19, 2009

Posted by ZoeL in CCIE LAB, Cisco.
Tags: , , ,
trackback

Yes, i know, there is no way informational logging message can disturb routing path or PBR scenario. There is actually, if your router’s cpu processing reach 100% caused by excessive logging messages and disturb routing updates. That’s not what happened here.

Below is my report of correlation between PBR, IP CEF and ACCESS-LIST LOGGING.

Network Diagram
next-hop scenario

EIGRP routing works on R2, R3 and R4. R1 and R5 running default route to adjacent router.
Dynamic routing automatically put one single most effective path from R1 to R5 via R2-R4.
Now, i want to ‘disturb’ this path and redirect packet from R1 to R5 via R3. We can accomplish this using PBR, match clause for specific source and destination IP address or Subnet using access-list and create set’s next-hop statement to throw packets to R3.

Problem is, if i put log or log-input after access-list statements, my PBR scenario won’t works.
As you all may know, log real purpose is for informational message only. I am not really sure why it effects my whole PBR scheme.

The Cisco IOS software can now provide logging messages about packets permitted or denied by a standard IP access list. That is, any packet that matches the access list will cause an informational logging message about the packet to be sent to the console. The level of messages logged to the console is controlled by the logging console command. This capability was previously only available in extended IP access lists.

The first packet that triggers the access list causes a logging message right away, and subsequent packets are collected over 5-minute intervals before they are displayed or logged. The logging message includes the access list number, whether the packet was permitted or denied, the source IP address of the packet, and the number of packets from that source permitted or denied in the prior 5-minute interval.

Okay, below are R1 and R2 configurations. Source ip address 12.12.12.1 (R1), destination 45.45.45 (R5). I am not going to show configurations for R3, R4 and R5. Their configurations is just simple and plain using EIGRP. All network routes are exist on routing table on R3, R4 and R5.

R1
—output omitted—
interface FastEthernet0/0
ip address 12.12.12.1 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 12.12.12.2 <– all packet to R2
!

—output omitted—

R2
—output omitted—
interface FastEthernet0/0 <– connection to R1
ip address 12.12.12.2 255.255.255.252
ip policy route-map nyoba
!
interface FastEthernet0/1 <– connection to R3
ip address 23.23.23.1 255.255.255.252
!
interface FastEthernet1/0 <– connection to R4
ip address 24.24.24.1 255.255.255.252
!
router eigrp 100
network 12.12.12.0 0.0.0.3
network 23.23.23.0 0.0.0.3
network 24.24.24.0 0.0.0.3
no auto-summary
!

— filter for network 12.12.12.0 to 45.45.45.0, right now we use LOG parameter —
access-list 101 permit icmp 12.12.12.0 0.0.0.3 45.45.45.0 0.0.0.3 echo log
access-list 101 permit ip 12.12.12.0 0.0.0.3 45.45.45.0 0.0.0.3 log
!
route-map nyoba permit 1
match ip address 101
set ip next-hop 23.23.23.2 <–next hop to R3 when access-list hit
!

—output omitted—

R2#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2, E – EGP
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

34.0.0.0/30 is subnetted, 1 subnets
D 34.34.34.0 [90/30720] via 24.24.24.2, 00:14:45, FastEthernet1/0
[90/30720] via 23.23.23.2, 00:14:45, FastEthernet0/1
3.0.0.0/32 is subnetted, 1 subnets
D 3.3.3.3 [90/156160] via 23.23.23.2, 00:14:43, FastEthernet0/1
4.0.0.0/32 is subnetted, 1 subnets
D 4.4.4.4 [90/156160] via 24.24.24.2, 00:14:45, FastEthernet1/0
23.0.0.0/30 is subnetted, 1 subnets
C 23.23.23.0 is directly connected, FastEthernet0/1
24.0.0.0/30 is subnetted, 1 subnets
C 24.24.24.0 is directly connected, FastEthernet1/0
12.0.0.0/30 is subnetted, 1 subnets
C 12.12.12.0 is directly connected, FastEthernet0/0
45.0.0.0/30 is subnetted, 1 subnets
D 45.45.45.0 [90/30720] via 24.24.24.2, 00:14:46, FastEthernet1/0
R2#

Now, from R1 we are going to test ping and traceroute from R1 to R5 and hoping packet traverse R2-R3-R4 instead R2-R4.

R1#ping 45.45.45.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 45.45.45.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/125/188 ms

R1#traceroute 45.45.45.2

Type escape sequence to abort.
Tracing the route to 45.45.45.2

1 12.12.12.2 68 msec 64 msec 32 msec
2 24.24.24.2 76 msec 128 msec 92 msec
3 45.45.45.2 96 msec 108 msec *

R1#
R2#sh access-l
Extended IP access list 101
10 permit icmp 12.12.12.0 0.0.0.3 45.45.45.0 0.0.0.3 echo log
20 permit ip 12.12.12.0 0.0.0.3 45.45.45.0 0.0.0.3 log (6 matches)

R2#

As you can see, when i do ping from R1, there are no hit count for access-list line 10 and PBR next-hop fail. Traceroute shows packet moving directly from R2 – R4.

Next, we remove the LOG parameter on access-list extended.

R2#
R2#sh access-l
Extended IP access list 101
10 permit icmp 12.12.12.0 0.0.0.3 45.45.45.0 0.0.0.3 echo log
20 permit ip 12.12.12.0 0.0.0.3 45.45.45.0 0.0.0.3 log
R2#
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip access ex 101
R2(config-ext-nacl)#no 10
R2(config-ext-nacl)#no 20
R2(config-ext-nacl)#10 permit icmp 12.12.12.0 0.0.0.3 45.45.45.0 0.0.0.3 echo
R2(config-ext-nacl)#20 permit ip 12.12.12.0 0.0.0.3 45.45.45.0 0.0.0.3

R2(config-ext-nacl)#

Now we test ping and traceroute from R1

R1#
R1#ping 45.45.45.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 45.45.45.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/132/156 ms
R1#
R1#traceroute 45.45.45.2

Type escape sequence to abort.
Tracing the route to 45.45.45.2

1 12.12.12.2 84 msec 60 msec 128 msec
2 23.23.23.2 108 msec 108 msec 80 msec
3 34.34.34.1 44 msec 120 msec 88 msec

4 45.45.45.2 108 msec 220 msec *
R1#

R2#sh access-l
Extended IP access list 101
10 permit icmp 12.12.12.0 0.0.0.3 45.45.45.0 0.0.0.3 echo (5 matches)
20 permit ip 12.12.12.0 0.0.0.3 45.45.45.0 0.0.0.3 (12 matches)

R2#

As you can see, packet successfully traverse to R3.
And access-list shows hit count.

My other test reveals, i will be able to use LOG parameter together with PBR next-hop if i turn off the ip route cache cef on interface connected to R1 (interface fastethernet0/0).

R2#sh ip cef
Prefix Next Hop Interface
0.0.0.0/32 receive
3.3.3.3/32 23.23.23.2 FastEthernet0/1
4.4.4.4/32 24.24.24.2 FastEthernet1/0
12.12.12.0/30 attached FastEthernet0/0
12.12.12.0/32 receive
12.12.12.1/32 attached FastEthernet0/0
12.12.12.2/32 receive
12.12.12.3/32 receive
23.23.23.0/30 attached FastEthernet0/1
23.23.23.0/32 receive
23.23.23.1/32 receive
23.23.23.2/32 attached FastEthernet0/1
23.23.23.3/32 receive
24.24.24.0/30 attached FastEthernet1/0
24.24.24.0/32 receive
24.24.24.1/32 receive
24.24.24.2/32 attached FastEthernet1/0
24.24.24.3/32 receive
34.34.34.0/30 23.23.23.2 FastEthernet0/1
24.24.24.2 FastEthernet1/0
45.45.45.0/30 24.24.24.2 FastEthernet1/0
Prefix Next Hop Interface
224.0.0.0/4 drop
224.0.0.0/24 receive
255.255.255.255/32 receive
R2#
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#int fa0/0
R2(config-if)#no ip route-cache cef
R2(config-if)#^Z
R2#sh run int fa0/0
Building configuration…

Current configuration : 168 bytes
!
interface FastEthernet0/0
ip address 12.12.12.2 255.255.255.252
no ip route-cache cef
ip policy route-map nyoba
end

and now, test ping and traceroute from R1 to R5

R1#ping 45.45.45.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 45.45.45.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/140/200 ms

R1#
R1#traceroute 45.45.45.2

Type escape sequence to abort.
Tracing the route to 45.45.45.2

1 12.12.12.2 72 msec 80 msec 48 msec
2 23.23.23.2 64 msec 124 msec 64 msec
3 34.34.34.1 76 msec 156 msec 64 msec

4 45.45.45.2 104 msec 144 msec *
R1#

R2#sh access-l
Extended IP access list 101
10 permit icmp 12.12.12.0 0.0.0.3 45.45.45.0 0.0.0.3 log (5 matches)
20 permit ip 12.12.12.0 0.0.0.3 45.45.45.0 0.0.0.3 log (12 matches)

R2#

It appears my LOG and next-hop work perfectly.
So, my best explanation is, when access-lits’s LOGGING parameter activated, forwarding using next-hop failed because Forwarding Information Base on router R2 shows the FIB next-hop for 45.45.45.2 is via 24.24.24.2 (Router R4). And by removing interface fastethernet0/0 from IP CEF process, PBR wil process next-hop to R3 and skip CEF Table.

Still, this is not answer my confusion.
Why access-list LOGGING cannot works together with IP CEF (FIB).
Why Log or Log-Input parameter that has a way to just ‘simply’ give us informational messages is the cause of PBR next-hop problem. And more importantly, why everything works fine if i’m not using LOG parameter, eventhough IP CEF enabled on ethernet interface.

notes : Fyi, I test this scenario using DYNAMIPS with Router 7204VXR and Cisco IOS version 12.2(25)S15, and i have tried other newer IOS version, and all goes the same result.

Cisco Links :

ACL LOGGING
http://www.cisco.com/web/about/security/intelligence/acl-logging.html
http://www.cisco.com/en/US/docs/ios/11_3/feature/guide/stdlog.html

PBR
http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml

.end.

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: